Hiding and Recovering Data on Linux

neuroticia writes "linuxsecurity.com has an interesting article on data hiding and recovery: "On a 4GB Linux partition, the block size is typically 4K (chosen automatically when the mke2fs utility is run to create a filesystem). Thus one can reliably hide up to 4KB of data per file if using a small file. The data will be invulnerable to disk usage, invisible from the filesystem, and, which is more exciting for some people, undetectable by file integrity checkers using file checksumming algorithms and MAC times. Ext2 floppy (with a block size of 1KB) allows hiding data as well, albeit in smaller chunks.""

Re:just to make sure..

[-brazil-]

Better yet, how about combining the "slack space" concept with that of a steganographic filesystem? In fact, the two concepts fit together very well...

shred

[ksw2]

They didn't mention...

shred -u [filename]

...in the article. It beats writing /dev/zero to your entire free space. Besides, if you try and overwrite your free space by dd'ing from /dev/zero, won't the outfile top out at 2 gigs on ext2?

Won't hide from raw access

[redelm]

File/block slack is hardly news. Nor is it even moderately secure.

One of the first things a forensic analyst will do, mostly in search of deleted blocks is `strings /dev/hda1`. More likely off a ro image, but out everything ASCII will pop.

Have a look at The Coroner's Toolkit

Re:Won't hide from raw access

[markmoss]

Yes, searching the raw data would definitely pop up ASCII strings in the slack space -- and it's quite likely the first thing the FBI would do if it was searching your HD for evidence that, say, you were plotting a terrorist attack on the MPAA, would be to search the entire disk for "MPAA" and "bomb".

So, encrypt it before you hide it in the tail. Make sure the encryption format doesn't have a recognizable header. If you don't want to bother with real encryption, exclusive-OR with 0xAA, and it will look like random leftover binary data, just what would be expected to be left in the slack space. Just don't write how and where you hid it on a sticky note...

I used to be paranoid..

[linuxrunner]

And I used to encrypt everything... Hide files, secure my boxes with passwords that were ridiculous!!!!

Then..

I had to stop and wonder why I was doing it. No one was writing e-mail to my using my PGP. Even though I made it available on my web site, and sent as attachments to people could e-mail me back using it. No one did.
I bought secure removable media. A chain to keep it on me. And had it encrypted. Now i just keep it in a bag with my laptop and never bother to use it.
My palm pilot has encrypted media.
No ones ever touched it... I just keep it on my desk hooked up to my Linux box for easy syncing...

What's my point.. Do I have one? MAYBE.

I stopped because I was lazy. I didn't have anything to hide, nothing I do is that important that I have to encrypt it. My code is opensource, and my bank info and passwords, etc are kept on my linux laptop, not on a server.

I guess, I'd like to know Who is using constant encryption and why?
For me, Encryption needs to be strong, standard, and integrated, otherwise it's just a pain.

This of this as an e-mail client. Kinda like PGP but easier.
I write an e-mail. I click "send". My e-mail client checks the "encryption" server. It finds a match for the e-mail recipient I'm sending to and downloads the PGP file and encrypts the e-mail to the recipients specifications. I did not have to do anything. If no PGP key is found then it will be sent unencrypted and let you know that it is doing so.